Improving Static Application Security Testing for JavaScript via Testability Patterns

Web applications nowadays are present in different domains, from configuration panels of IT devices to the core of large scale enterprise system and are so used by millions of users everyday. Therefore, security plays a key role in their development and use. The purpose of this internship is to understand how web applications programming language particularities impact on the outcomes of Static Application Security Testing (SAST) tools to scan web applications code to figure out vulnerabilities, by producing a series of patterns. This thesis work is focused on JavaScript (JS) language, which is one of the most used today for the development of web applications. Indeed, some language peculiarities could influence the outcome of the analysis performed by the tools, thus generating false positives (FP) and false negatives (FN) results. The first part of this project consists in the definition of an arsenal toolset, composed both from commercial marketplace and open source community tools, for JS and HTML programming languages. Then, a series of patterns have to be created, as they define the dimension of testability. In fact, a pattern becomes of interest, as testability pattern, when the arsenal of tools generates, from it, an unexpected result (FP or FN). As second part, Abstract Syntax Tree (AST) is taken into account since over an application could simplify the evidence of a specific testability pattern inside it. To measure the practical relevance of patterns created in the first part, some popular open source web applications have to be selected for the testbed. As third and last step, some Use Cases of real web applications are reported as Proof Of Concept to show how testability pattern can be transformed to increase the SAST testability measure and to give a relevant feedback to the web application programmer.